At the request of a couple of members I have written down some instructions for those wanting to configure the firewall on the SAR715 with Firmaware version 8.2b2.
Sorry this will necessarily be a bit long. I am a W2K user so there may be differences to other OSs that I am not aware of and will make no attempt to cover.
I will try to give a general intro. I will not cover:
- Triggers (because I don't understand them fully myself)
- Host Validators (because I can't find a configuration that would be useful)
- Intrusion Detection (because I have no clue how this works)
That leaves:
- policies
- portfilters
- securitylevels
which I will cover, and which are probably the most useful to get started with.
I will describe using the CLI because I don't fully trust the webinterface in the beta and if you understand the CLI you can probably use the webinterface anyway. (commands to be typed into the CLI are in italics)
- type "telnet://yourrouterip" into your browser. Make sure you use Hyperterminal Private edition (much better than the standard one that comes with W2K. It is a free upgrade from "Hilgraeve". This version will allow you to use "up-arrow" at the command prompt in the telnet window to edit/repeat previous commands, which is an invaluable time saver).
- login using admin/admin or whatever user name you've changed to
- help
This will you helpful tips in using the CLI regarding auto-completion of commands and command help.
- firewall status
This will show whether the firewall is enabled, the current security level, and the logging options. Don't worry about logging, because I don't know how to retrieve the logs at this point so it's pointless. I am assuming the firewall is still disabled (factory default). If not type firewall disable. We will enable it at the end.
There is a complete set of policies, portfilters, portvalidators, etc for each security level. There is also a problem (bug??) that means that when you switch securitylevel all the settings for the new level are reset to factory defaults. This is a pain as it amounts to only one usable security level until we get docs or a fix for this "bug". (help Steve!) So just switch the router to security level high right now and then do not switch it again as that will wipe everything we do afterwards.
- firewall set securitylevel high
- firewall list policies
This should list three policies pdmz_in, pex_in and pex_in which apply between the respective zones (internal, external and demilitarised). I will not go into the dmz, so just focus on the "pex_in", which should cover most peoples' needs.
- firewall list portfilters pex_in
This lists the factory default portfilters for the external/internal policy. They cover all the common ports and as a default for the high security level don't allow any inbound connections. Note that this CLI list of portfilters gives you the names of each filter; the webinterface does not which I hope will be fixed for the full release. You can't change an existing portfilter; you must delete and recreate it.
Lets change the hei_ftp filter (currently it allows no connections, inbound or outbound) so you can make an outbound FTP connection.
delete it with
- firewall delete portfilter hei_ftp pex_in
check that it's gone
- firewall list portfilters pex_in (remember you can use the up-arrow to retrieve this command)
and recreate it allowing outbound connections
- firewall add portfilter hei_ftp pex_in tcp 21 21 outbound
check it has been added
- firewall list portfilters pex_in
save the configuration
- system config save
The last step means that the new portfilter will be retained after a router reboot. Remember that due to the "securitylevel switching bug", the new settings will be wiped if you switch security levels.
Now lets open a new port so you can use your IMAP mail client (I happen to use IMAP).
- firewall add portfilter hei_imap pex_in tcp 143 143 outbound
- system config save
Some tips regarding the "firewall add portfilter" command:
- You choose any name for the new portfilter but "hei_imap" fits nicely with the patterns used for the factory defaults.
- "pex_in" can be replaced with one of the other policy names if you are creating a dmz.
- "tcp" can be replaced with any protocol listed if you type firewall list protocols.
- first number is the "startport" the second the "endport"
- "outbound" can be replaced with "inbound", "both" or "none"
Now lets enable the firewall:
- firewall enable
- system config save
You can now relax and feel safer. If you run a port scan (many avaiable for free on the internet), you will see that the SAR715 will not allow any external connection. In fact it will look as if your public IP address doesn't exist. ie complete stealth! At the same time you will still be able to use the ports that have been opened for outbound traffic in the:
- firewall list portfilters pex_in
Note that the "hei_imcp" portfilter that is part of the factory defaults is necessary for "ping". If you delete it, you will no longer be able to ping the outside world. The other factory default portfilters should be self explanatory, exspecially if you look at their names. eg hei_pop3 on port 110 allows you to retrieve your pop mail.
I hope this is a useful introduction for those who want to configure the SAR715's firewall without waiting for the documentation.
Maybe I will add some more on "host validators", "triggers" and "intrusion detection" at a later stage.
It's supposed to be a PC unprotected by the firewall which gets all data sent to it by the router. You would normally put a webserver or other public services in the dmz while keeping your private network behind the firewall. That way if your public server is compromised it doesn't expose the rest of your network.
Your are doing this right. By opening just outbound ports you're not opening yourself to attack, except for possible Trojan Horse attacks from the inside as bjd mentioned here:
Personally I don't see how you can prevent all outbound communication by Trojan Horses etc since some ports always have to be open (like port 80 for general surfing). I guess application level outbound filtereing tries to watch the actual content of the outbound traffic to determine if it's malicious, which I would consider incredibly difficult considering you are chasing a moving tarket.
I also enabled https as mentioned by MrSaffron elsewhere. Here is my set of portfilters to help others:
firewall disable
firewall set securitylevel high
firewall delete portfilter hei_ftp pex_in
firewall add portfilter hei_ftp pex_in tcp 21 21 outbound
firewall add portfilter hei_iVis1 pex_in udp 9943 9943 both
firewall add portfilter hei_iVis2 pex_in udp 56768 56768 both
firewall list portfilters pex_in
firewall enable
system config save
I have these commands saved in a txt file which I can send to the router useing Hyperterminal's (private edition) "send text file" command. Saves a lot of typing when I reconfigure from scratch.
Explanation:
- setting securitylevel to high resets the portfilters to their factory default due to the "security level changing" bug and gives us a nice common starting point.
- open port 21 for outgoing ftp
- open port 143 for outgoing imap
- open port 443 for outgoing https
- open port 81 outgoing ...this is used by my webhost for the control panel page
- open ports 9943 and 56768 udp bi-directionally for iVisit
- display the finished list
- enable the firewall
- and save the config from getting wiped during a restart
I am not a Netmeeting user and don't a way of testing it. But from what I understand from elsewhere on this board Netmeeting, being a typical Microsoft application, uses a complex set of ports and protocols which are not easily handled with a couple of portfilters.
There was talk about an ALG (appication Level Gateway) in the 8.2 firmware which would automatically set up the appropriate connections after the initial handshake over a couple for forwarded ports has taken place. This ALG is not in the current beta and you will have to wait for it.
Sebby - after all that fuss over uPnP did you manage to get files,video and voice working over messenger or have you given up on that ?
Does anyone else know whether enabling the firewall works with uPnP in terms of opening ports for games etc... from reading this post it seems to me like they are mutually exclusive. Is this the case or have I no clue ?
View Profile
View Forum Posts
If you run a port scan (many avaiable for free on the internet), you will see that the SAR715 will not allow any external connection. In fact it will look as if your public IP address doesn't exist. ie complete stealth! At the same time you will still be able to use the ports that have been opened for outbound traffic in the:
Reply With Quote
Visit Homepage
